Seen a similar issue, and traced it to what appears to be a brute force attack on logging into wordpress (thousands of POST /wp-login.php from the same IP in access_log), and then access to the /wp-admin/theme-editor.php which proceeded to GET /wp-admin/theme-editor.php?file=/themes/classic/comments.php&theme=WordPress+Classic&dir=theme and then post a new one. That is the root program that updates the other files.

After removing any additional php code you missed, to fix (search access to wp-admin in access_log), restrict wp-login.php, or at least /wp-admin/ to trusted IPs.

Having site under version control also helps identify any changed files.

Sorry, never meant to imply you can. The main fix was to lock down the point of entry not to just revert the files.

That said, some of the steps listed in those are just shotgun approaches for if you don't know how the files were altered, and don't have some good way such as version control or differential backup comparison to tell what was altered, or log analysis tools, etc...

You should still rebuild the server, change all the passwords, etc... However sometimes it's important to stop the problem and schedule the rest a little later.

Just taking an immediate shotgun approach isn't perfect either, because if you are dealing with a 0 day exploit, you could be just as open after all that work of rebuilding. So it is still important to figure out what happened and know how to to block it.

Warning: Something's Not Right Here!
xxxxMY-WESBITExxxxxx.com contains content from jqbttmjdxx.ddns.ms, a site known to distribute malware. Your computer might catch a virus if you visit this site.
Google has found malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.
We have already notified jqbttmjdxx.ddns.ms that we found malware on the site. For more about the problems found on jqbttmjdxx.ddns.ms, visit the Google Safe Browsing diagnostic page.

esmi, all sucuri does is parse the page... if that was truly a malware infection it would not even be able to read that, because that code snippet is written in php and wrapped in code tags. Sucuri can only detect client side malware and compare domain hashes to Google Safe Browsing API.

I just verified j0hnnyb0ys statement by wget and reading the code. It is the exploit code, but not active- wrapped in code blocks so you can see an actual example of what you are looking for. your (and my) antivirus/malware software isn't smart enough to tell that its not going to be parsed and run by the browser.

I just verified j0hnnyb0ys statement by wget and reading the code. It is the exploit code, but not active- wrapped in code blocks so you can see an actual example of what you are looking for. your (and my) antivirus/malware software isn't smart enough to tell that its not going to be parsed and run by the browser.

This last week I came across 19 individual infections and 2 server wide infections. In regards to the server infections, one of those malicious plugins actually created a cron job that was copying the malware to every index.php, index.html, default.html, and main.html file in the webroot.

Just wondering how many people have been dealing with this one in particular...